LOOSE DATA

Add to the stolen laptop containing data about veterans and active-duty personnel, a similarly swiped laptop with personal information from the Federal Trade Commission, improper posting of personal information from the Navy and improperly disclosed data on employees from the departments of agriculture, energy and even the Government Accountability Office.

This is either a string of really bad luck or the federal government’s data-security standards have become outdated and inadequate. We’re betting it’s the latter.

Some of the departmental problems may be attributed to a lackadaisical attitude toward useful security rules – the agencies with the biggest data losses had all been warned to improve their systems by the House Government Reform Committee. Other losses may be caused by an absence of guidance for new technology: Who would have guessed a generation ago that anyone could walk out of the VA with 26.5 million personnel files? Finding the specific causes of these lapses is worthwhile, which is why it’s encouraging that Sen. Susan Collins, chairman of the Homeland Security and Governmental Affairs Committee, is planning hearings on the topic to review the effectiveness of the Privacy Act of 1974.

Some of the issues the hearings are expected to cover include ambiguous language in the law that might lead to misunderstanding among agencies; the ability of the law to accommodate technological developments; how data is stored and retrieved; what a information-management system must include; and how the threat of terrorism should be considered in the sharing of information.

Given that several of the agencies that have had data leaks have also been warned previously about their shortcomings and failed to take adequate action, the committee should also look into greater incentives and penalties to improve compliance.

As with private industry, some government agencies have begun to set their own rules for employee responsibility for restricted information. The VA, for instance, is about to put such a directive in place (though a second directive to require reviews of agency laptop encryption codes, according to news reports, is being held up by a class-action lawsuit).

It’s good that agencies are taking action; it would be better if government-wide reform improved security even for departments that did not know they had data-security shortcomings.

The Governmental Affairs Committee is opening up a major issue in reviewing data security, and compliance with whatever rules it proposes will be a permanent challenge. But with a government determined to collect more and more information about all Americans, even under secretive conditions, the public should have confidence that the agencies know how to handle it responsibly.